Restore ability to override /etc/shadow file permissions and group owner (#293)

JonathonRoberts · web-flow · commit 295546f8a420 · 2022-01-27T16:42:30.000+01:00
diff --git a/README.md b/README.md
@@ -199,6 +199,11 @@ Otherwise puppet will drop an error (duplicate resource)!
   set to false to disable sysctl configuration
 * `manage_system_users = true`
   set to false to disable managing of system users (empty password and setting nologin shell)
+* `shadow_group = undef`
+  override the group ownership of /etc/shadow
+* `shadow_mode = undef`
+  override the file permissions of /etc/shadow
+
 
 ### Hiera usage
 
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -93,6 +93,9 @@
   Boolean           $enable_sysctl_config               = true,
 
   Optional[String]  $system_umask                       = undef,
+
+  Optional[String]  $shadow_group                       = undef,
+  Optional[String]  $shadow_mode                        = undef,
 ) {
 
   # Prepare
@@ -114,29 +117,31 @@
       $def_umask = '027'
       $def_sys_uid_min = 100
       $def_sys_gid_min = 100
-      $shadowgroup = 'shadow'
-      $shadowmode = '0640'
+      $def_shadowgroup = 'shadow'
+      $def_shadowmode = '0640'
     }
     'RedHat': {
       $def_umask = '077'
       $def_sys_uid_min = 201
       $def_sys_gid_min = 201
-      $shadowgroup = 'root'
-      $shadowmode = '0000'
+      $def_shadowgroup = 'root'
+      $def_shadowmode = '0000'
     }
     default: {
       $def_umask = '027'
       $def_sys_uid_min = 100
       $def_sys_gid_min = 100
-      $shadowgroup = 'root'
-      $shadowmode = '0600'
+      $def_shadowgroup = 'root'
+      $def_shadowmode = '0600'
     }
   }
 
   # Merge defaults
   $merged_umask = pick($umask, $def_umask)
   $merged_sys_uid_min = pick($sys_uid_min, $def_sys_uid_min)
   $merged_sys_gid_min = pick($sys_gid_min, $def_sys_gid_min)
+  $merged_shadowgroup = pick($shadow_group, $def_shadowgroup)
+  $merged_shadowmode  = pick($shadow_mode, $def_shadowmode)
 
   # Fix for Puppet Enterprise
   if $pe_environment {
@@ -180,8 +185,8 @@
     folders_to_restrict                => $folders_to_restrict_int,
     ignore_max_files_warnings          => $ignore_max_files_warnings,
     restrict_log_dir                   => $restrict_log_dir,
-    shadowgroup                        => $shadowgroup,
-    shadowmode                         => $shadowmode,
+    shadowgroup                        => $merged_shadowgroup,
+    shadowmode                         => $merged_shadowmode,
     recurselimit                       => $recurselimit,
   }
   class { 'os_hardening::modules':
